Qualys CyberSecurity Asset Management Reviews

Currently, I use Qualys CSAM for asset management. It allows me to search for assets and manage them by implementing license management, asset inventory discovery, and ensuring that no device goes unmanaged. 

Qualys CSAM improves my organization's asset posture by providing visibility on cybersecurity assets and streamlining asset management and inventory.

It can detect every asset in our network. It is able to detect network devices such as switches, printers, and servers. However, it may provide information that is not useful, and sometimes, tagging might also be incorrect.

We were able to realize its benefits within six months. It took us around two to three months to get a good understanding of it. We spent some time fine-tuning it based on our needs and understanding false positives. Overall, in about six months, we could properly see its benefits.

Qualys CSAM helps me prioritize vulnerabilities through Qualys Vulnerability Score (QVS), which combines various threat and impact factors. It enables me to prioritize vulnerabilities based on the criticality and risk posed to my organization. This is beneficial for efficiently managing vulnerabilities.

Qualys TruRisk Scoring helps prioritize vulnerabilities and assets. It helps understand what could be prioritized for further remediation and what could be kept on hold for some time based on the manpower availability and the needs of the business.

Qualys CSAM helps find all the assets. It categorizes information based on various criteria such as host and tenant version. It provides in-depth visibility into both hardware and software.

Initial scans can produce excess data that needs refining. This extra data is not always useful for us in terms of understanding. They should provide the exact information required by the end user. It sometimes produces false positives for configurations when it comes to identifying exact hostnames and DNS names pertaining to certain IPs. Sometimes, the tagging might be incorrect. It might incorrectly tag assets. This is something that should be fixed.

Software composition analysis capability at the source code level would also be helpful. Other tools can check JAR and WAR files for any vulnerabilities. This capability is missing in Qualys CSAM.

From the user experience perspective, we need a simpler interface and reduced complexity in certain features, particularly with the Qualys Query Language. I work for a bank. I am a part of the regional team. We ask branches to use this tool effectively, but the branch IT teams find it difficult in terms of user experience. It is not easy for them to understand and use Qualys Query Language to fetch some inputs. The user interface must be improved in terms of giving some examples through popups and other UI elements. Currently, our users are not able to use it easily based on the basic training that we are giving them. That is why we are now documenting step-by-step instructions for completing tasks.

Some of the users find the UI to be very cluttered. They should simplify the dashboard. They would also like more customizable navigation.

Some users have reported slow asset discovery. They should improve speed and efficiency. When we use some of the profile options within Qualys for scanning, it can take 40 to 50 minutes to scan a single asset. That time could be reduced.

Users would also like more customizable reports. Currently, after downloading the reports, the team has to format the data provided by Qualys CSAM. If there is an option to customize the reports directly before downloading them, it would be very helpful. They can directly deliver the report to higher management. They do not have to spend time formatting the report.

There could also be better integration with other tools. Based on my integration experience previously, not in this company, there were some limitations with the integration. The APIs and integration options can be improved making the integration with various tools such as ITSM tools a smooth experience.

My team is using some Python scripts. It would be great if Qualys could provide some custom scripts as a part of the subscription. It will help new users in terms of understanding the solution better. There should be better tagging and categorization. That would be helpful for us. The tagging system should be more intuitive and flexible. Currently, the dynamic grouping of these assets based on the conditions is not up to the mark. Some of them are incorrectly tagged.

In terms of the learning curve, some of the new users find it challenging to learn the full capabilities of the platform. In addition to supporting more customizations for dashboards, reporting, or navigation, there should be more resources for people to become familiar with the product. There should be more hands-on learning materials and a better onboarding experience. The current knowledge base is not up to date with the latest features. There should be updated learning material available along with a release. When they release any new features, it can take one or two months for the learning resources to be updated.

Vulnerability remediation recommendations need to be more appropriate and specific. There could also be improvements in terms of vulnerability context. Even though Qualys CSAM identifies vulnerabilities very well, it would be helpful to have more context. Currently, in some cases, Qualys is not able to fetch the right remediation solution or proper context. It gives a generic statement. At times, recommendations are also not appropriate.

I have been using Qualys CSAM for almost four years.

Qualys' technical support team is responsive. They have a good knowledge base and helpful resources. The resolution of complex issues may sometimes take longer due to various factors, but the community and forum support is strong. Plenty of forums and resources are available from the support perspective.

The initial setup was not easy or difficult; it was moderate. 

Qualys provides tutorials and tools, but they could be enhanced to be more user-friendly and more helpful in deploying it. Qualys releases updates and enhancements regularly and the documentation is available for the new release, but Qualys video tutorials and hands-on labs are not always available or updated in parallel. Such resources are very helpful for new users in our organization in understanding the new features and the tool.

There is a significant return on investment with Qualys CSAM in terms of efficiency in vulnerability identification and management.

Qualys is competitively priced for its features. Its pricing is suitable for large organizations with more than 4,000 assets, but for smaller organizations with few assets, such as banks, the costs might be high. They should come up with packages that are suitable for small organizations.

For Attack Surface management, we are using other tools in our organization. Our threat tracking and threat intelligence teams are using other tools. They are not integrated with the Qualys CSAM. We are exploring opportunities to integrate everything into one solution.

We are planning to integrate Qualys CSAM with ServiceNow within a year. Everything will be automatically integrated with the ServiceNow module.

Overall, I would rate Qualys CSAM an eight out of ten. There are some areas for improvement.

We use it to identify all our assets, including those on our premises, cloud, and remote environments. It continuously monitors our assets, collects details like installed software, configurations, and vulnerabilities, and also assesses asset criticality and risk level. It prioritizes our vulnerabilities based on the business impact.

Qualys CyberSecurity Asset Management has given us a view into all portions of our assets, including printers and others, enabling us to uncover many previously unknown assets. Some of the assets were not shown by other solutions. There were some assets that were not registered in our CMDB. Teams had some assets that were connected to the network but were not registered. With the help of Qualys CyberSecurity Asset Management, we got a view of our complete posture. We were able to view all the assets.

We were able to see its benefits within a few weeks of deployment. We uncovered many assets that were previously unknown. It gives an overview of assets daily. 

It does its job of covering the attack surface, but we also use other solutions.

In addition to vulnerabilities, it also identifies all the other risk factors for our assets.

TruRisk Scoring helps prioritize vulnerabilities and assets, but its effectiveness varies from organization to organization. For us, it works, but sometimes, we have to manually prioritize assets.

We have leveraged the solution's ability to convert already-deployed Qualys Cloud Agents into passive sensors that detect assets connected to the network in real-time. It is pretty good in terms of insights or visibility.

The CMDB Sync feature has reduced our mean time to remediation by 15% to 20%.

The integration with different third-party tools, such as cloud providers like Azure and AWS, and asset management tools like CMDB systems, is valuable. 

It also helps detect shadow IT groups and enforce policies and compliance, ensuring that assets adhere to regulatory and internal security policies. It helps our team to maintain an accurate and up-to-date asset inventory.

The deployment is somewhat complicated and could be made more user-friendly for most users. It is currently not user-friendly for all users. It is good but can be improved. It is a new product, and they are working on it.

There is limited coverage for non-IT assets; although effective for IT assets, it may struggle with OT technologies, IoTs, and some non-traditional assets without proper integrations. 

It is dependent on the Qualys ecosystem. It works only with Qualys VMDR and other Qualys modules. If an organization relies on multiple security vendors, integration would require additional customization. Improving the integration part would be beneficial.

I have used the solution for two years.

It is stable. I would rate it an eight out of ten for stability.

It is scalable. I would rate its scalability a nine out of ten.

They are good.

Positive

For us, it was easy because we had experienced professionals. They did not face any issues. If it was done by someone with two, three, or four years of prior experience, they would struggle a bit. 

We already had other Qualys subscriptions, such as patch management, so we just bought the CSAM solution and started activating CABS. Though it is never fully done, as we develop it every day, after purchasing, it was mostly done within two weeks.

We had a team of five, consisting of two senior and three junior members.

Overall, I would give Qualys CyberSecurity Asset Management a nine out of ten.

I use Qualys CSAM to gain better visibility into all my endpoints. It is easier to find devices through Qualys CSAM rather than using our other asset inventories, as it gives me access to a single pane of glass.

Qualys CSAM helps manage external attack surfaces. I get daily emails about our external endpoints and potential vulnerabilities or ports that can be used for attacks. We work on securing them or hardening their configurations.

We do not have a lot of external-facing assets, but it gives us everything that we need to know. We have a developers team that works on the web pages on our new domain. Recently, they entered a new subdomain. Qualys CSAM found that and reported it as vulnerable because of the certificates. I reported that to upper management, and it is now taken care of.

Qualys CSAM's risk tools prioritize risks. Qualys CSAM in conjunction with patch management and vulnerability management helps to mitigate those vulnerabilities.

There is a good logic behind TruRisk. When we add things, we can rely on it. That is what is going to be important.

We have a network passive sensor. Some of our endpoints are work-from-home stations, and some of them are in the office. The network passive sensor finds everything that is connected to the office, and then it merges with the cloud agent.

Qualys CSAM is valuable for providing end-of-life and end-of-sale information. It gives me visibility into the number of products or hardware items that are end-of-life. This is a beneficial feature. I like that about it. That is a very good thing.

Qualys CSAM is not super responsive, and there can be delays sometimes, especially with the network passive sensor. You might see duplicate objects which eventually disappear but it takes time. If that can be done faster, it will be great.

I have been using Qualys CSAM for approximately one and a half years.

Qualys CSAM appears to be scalable. We do not have a lot of endpoints, but I know of a company with 60,000 endpoints. They seem to be doing fine. We have 500 to 600 endpoints, and it is working well.

Most of the time, they are fast. We submitted some bugs, and they seem to have been resolved.

Positive

I used Manage Engine before. It is not very similar, but it can give you some details about the endpoints, such as if they are end-of-life. They also pull the database from somewhere to compare our hardware or software, but Qualys CSAM gives a lot more information than that product. Qualys CSAM does a lot more.

Its deployment is modular. Everything that we have is in the cloud. The cloud agent is installed on the endpoint, and there we have everything. The cloud agent collects all the information, drops it into the cloud, and syncs it in the database. Patch management and vulnerability management all do their work together.

The initial setup was seamless. It is at their back end. We paid for it, and they just turned it on. We saw results immediately once the module was turned on. Things in the cloud are done faster than on-prem, and this is not an on-prem solution. It is a cloud solution.

Its maintenance is taken care of by Qualys. We get the product 100% working and operational. We only have to work on the information in it. If we see something wrong, we try to do something. If it is easily fixable, we do it. If it is not, we get support.

When I went to a Qualys conference, I understood the value of it, and I asked our management to get hold of it and purchase it. We were able to realize its benefits immediately.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they don’t need the full depth of the CSAM offering, I would recommend going for the whole CSAM. Only the external attack service management will not be enough. If they have visibility into their external stuff, they should also have visibility into their internal stuff. Otherwise, they will only see the external stuff. They will not see how it links to internal stuff in terms of hardware, IP, and port.

New users need to spend a lot of time in order to understand it well. My advice would be to try searching, finding assets, and uploading tags to get accustomed to it.

I would rate Qualys CSAM a ten out of ten. It is a great product.